Menu
▾
▴
opensc-devel
|
From: Ludovic R. <lud...@gm...> - 2016-06-30 07:52:17
|
Hello, PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a PKCS#11 library (smart card, crypto token, etc.). The purpose is to be able to use a smart card to login to a GNU/Linux system. With the introduction of OpenSSL 1.1.0 the API has changed and many software, including pam-pkcs#11, need to be updated to use the new API. For example see [2] for a patch for OpenSC. I am the only maintainer of pam-pkcs11 project. I do not use this software myself any more. I do not have the free time (and motivation) to invest in a code change of pam-pkcs11 to support the new OpenSSL API. If nobody volunteers to do this work then: - pam-pkcs11 will not work with OpenSSL 1.1.0 - pam-pkcs11 will be removed from the GNU/Linux distributions - pam-pkcs11 will not be usable any more. A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0" FTBFS is Fails To Build From Source. When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be removed from Debian, unless someone adds support of the new OpenSSL API. If you (or your company) use pam-pkcs11 you should worry about the situation. RedHat provides [4] pam-pkcs11 to its customers. It could be a good idea for RedHat to invest some R&D time to take maintenance of the software to keep its (paying) customers happy. Regards, [1] https://github.com/OpenSC/pam_pkcs11/wiki [2] https://github.com/OpenSC/OpenSC/pull/749/files [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487 [4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html -- Dr. Ludovic Rousseau |
|
From: David W. <dw...@in...> - 2016-06-30 10:07:13
Attachments:
smime.p7s
|
On Thu, 2016-06-30 at 11:41 +0200, Nikos Mavrogiannopoulos wrote: > On Thu, 2016-06-30 at 09:51 +0200, Ludovic Rousseau wrote: > > > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl > > 1.1.0" > > FTBFS is Fails To Build From Source. > > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be > > removed from Debian, unless someone adds support of the new OpenSSL > > API. > > > > If you (or your company) use pam-pkcs11 you should worry about the > > situation. > > > > RedHat provides [4] pam-pkcs11 to its customers. It could be a good > > idea for RedHat to invest some R&D time to take maintenance of the > > software to keep its (paying) customers happy. > > Note that in Red Hat we use pam-pkcs11 with NSS and not openssl. That > option (to my knowledge) seems to work even today. FSVO "seems to work" which I wouldn't necessarily advocate because it doesn't actually comply with that distribution's own packaging guidelines — it doesn't load the correct modules according to the system's PKCS#11 configuration. Hence https://bugzilla.redhat.com/show_bug.cgi?id=1173548 Like many packages in Fedora, we should probably move *away* from NSS unless it gets fixed to comply with the distribution's guidelines. I have a GSoC student working on supporting RFC7512 URIs in NSS this year, but not a lot of progress on loading the correct tokens by default. -- David Woodhouse Open Source Technology Centre Dav...@in... Intel Corporation |
|
From: Ludovic R. <lud...@gm...> - 2016-08-22 09:12:41
|
Hello, After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained. https://github.com/OpenSC/pam_pkcs11/blob/master/README.md I will also orphan the Debian package. I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild. Regards, 2016-06-30 9:51 GMT+02:00 Ludovic Rousseau <lud...@gm...>: > Hello, > > PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a > PKCS#11 library (smart card, crypto token, etc.). The purpose is to be > able to use a smart card to login to a GNU/Linux system. > > With the introduction of OpenSSL 1.1.0 the API has changed and many > software, including pam-pkcs#11, need to be updated to use the new > API. For example see [2] for a patch for OpenSC. > > I am the only maintainer of pam-pkcs11 project. I do not use this > software myself any more. > I do not have the free time (and motivation) to invest in a code > change of pam-pkcs11 to support the new OpenSSL API. > If nobody volunteers to do this work then: > - pam-pkcs11 will not work with OpenSSL 1.1.0 > - pam-pkcs11 will be removed from the GNU/Linux distributions > - pam-pkcs11 will not be usable any more. > > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl > 1.1.0" > FTBFS is Fails To Build From Source. > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be > removed from Debian, unless someone adds support of the new OpenSSL > API. > > If you (or your company) use pam-pkcs11 you should worry about the > situation. > > RedHat provides [4] pam-pkcs11 to its customers. It could be a good > idea for RedHat to invest some R&D time to take maintenance of the > software to keep its (paying) customers happy. > > Regards, > > [1] https://github.com/OpenSC/pam_pkcs11/wiki > [2] https://github.com/OpenSC/OpenSC/pull/749/files > [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487 > [4] https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/6/html/Managing_Smart_Cards/enabling- > smart-card-login.html > > -- > Dr. Ludovic Rousseau > -- Dr. Ludovic Rousseau |
|
From: David W. <dw...@in...> - 2016-08-22 13:08:37
Attachments:
smime.p7s
|
On Mon, 2016-08-22 at 11:12 +0200, Ludovic Rousseau wrote: > Hello, > > After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained. > https://github.com/OpenSC/pam_pkcs11/blob/master/README.md > > I will also orphan the Debian package. > I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild. I assume the Fedora package will remain for now, as it's built against NSS and still works. We are getting closer to having NSS actually working with RFC7512 PKCS#11 URIs and loading the right tokens according to the system configuration too. For the OpenSSL support, I am disinclined to fix it up as it stands — I note it's doing everything for itself and not even using libp11. I do still plan to fix up OpenSSL after the 1.1 release and basically render libp11 obsolete by adding the same functionality natively to crypto/pkcs11/ in OpenSSL (1.2) itself. At that point, maybe it makes sense to resurrect the OpenSSL support in pam_pkcs11. But for now I don't think it makes sense to patch it up. If somebody really cared, migrating it to libp11 might be the way to go. Because we *will* have a migration strategy for libp11 users to OpenSSL 1.2, and the APIs may well end up being very similar. -- dwmw2 |
|
From: Douglas E E. <dee...@gm...> - 2016-08-22 17:45:05
|
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Looking at the code, it loos like it is only parsing the certificate
and getting public keys and other values from the certificate.<br>
It does not include rsa.h, but does include bn.h<br>
It looks like it would not take very much effort to use a stripped
down version of the cs-ossl-compat.h from OpenSC
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/pull/853">https://github.com/OpenSC/OpenSC/pull/853</a><br>
<br>
I don't use it, so someone is still needed to do some testing. <br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 8/22/2016 4:12 AM, Ludovic Rousseau
wrote:<br>
</div>
<blockquote
cite="mid:CAGstE8AawRSXGOTVgBvg6u0=0PN...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
After 2 months with no volunteer to take care of pam-pkcs#11
I created a new README.md page on the github project to
indicate the project is no more maintained.<br>
<a moz-do-not-send="true"
href="https://github.com/OpenSC/pam_pkcs11/blob/master/README.md">https://github.com/OpenSC/pam_pkcs11/blob/master/README.md</a><br>
<br>
</div>
I will also orphan the Debian package.<br>
I guess the Debian (and Ubuntu) package will be remove once
OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be
rebuild.<br>
<br>
</div>
Regards,<br>
<div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-06-30 9:51 GMT+02:00
Ludovic Rousseau <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:lud...@gm..."
target="_blank">lud...@gm...</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
PAM PKCS#11 [1] is a Pluggable Authentication Module
(PAM) using a<br>
PKCS#11 library (smart card, crypto token, etc.).
The purpose is to be<br>
able to use a smart card to login to a GNU/Linux
system.<br>
<br>
With the introduction of OpenSSL 1.1.0 the API has
changed and many<br>
software, including pam-pkcs#11, need to be updated
to use the new<br>
API. For example see [2] for a patch for OpenSC.<br>
<br>
I am the only maintainer of pam-pkcs11 project. I do
not use this<br>
software myself any more.<br>
I do not have the free time (and motivation) to
invest in a code<br>
change of pam-pkcs11 to support the new OpenSSL API.<br>
If nobody volunteers to do this work then:<br>
- pam-pkcs11 will not work with OpenSSL 1.1.0<br>
- pam-pkcs11 will be removed from the GNU/Linux
distributions<br>
- pam-pkcs11 will not be usable any more.<br>
<br>
A bug [3] has been opened for Debian: "pam-pkcs11:
FTBFS with openssl 1.1.0"<br>
FTBFS is Fails To Build From Source.<br>
When OpenSSL 1.1.0 will be included in Debian
pam-pkcs11 will be<br>
removed from Debian, unless someone adds support of
the new OpenSSL<br>
API.<br>
<br>
If you (or your company) use pam-pkcs11 you should
worry about the situation.<br>
<br>
RedHat provides [4] pam-pkcs11 to its customers. It
could be a good<br>
idea for RedHat to invest some R&D time to take
maintenance of the<br>
software to keep its (paying) customers happy.<br>
<br>
Regards,<br>
<br>
[1] <a moz-do-not-send="true"
href="https://github.com/OpenSC/pam_pkcs11/wiki"
rel="noreferrer" target="_blank">https://github.com/OpenSC/pam_<wbr>pkcs11/wiki</a><br>
[2] <a moz-do-not-send="true"
href="https://github.com/OpenSC/OpenSC/pull/749/files"
rel="noreferrer" target="_blank">https://github.com/OpenSC/<wbr>OpenSC/pull/749/files</a><br>
[3] <a moz-do-not-send="true"
href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487"
rel="noreferrer" target="_blank">https://bugs.debian.org/cgi-<wbr>bin/bugreport.cgi?bug=828487</a><br>
[4] <a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html"
rel="noreferrer" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Linux/6/html/<wbr>Managing_Smart_Cards/enabling-<wbr>smart-card-login.html</a><br>
<span class=""><font color="#888888"><br>
--<br>
Dr. Ludovic Rousseau<br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature"
data-smartmail="gmail_signature"> Dr. Ludovic Rousseau</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X